Mercurial > vim
diff src/crypt.c @ 32670:695b50472e85
Fix line endings issue
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Mon, 26 Jun 2023 13:13:12 +0200 |
| parents | 448aef880252 |
| children | 4091ae33b9ec |
line wrap: on
line diff
--- a/src/crypt.c +++ b/src/crypt.c @@ -1,1325 +1,1325 @@ -/* vi:set ts=8 sts=4 sw=4 noet: - * - * VIM - Vi IMproved by Bram Moolenaar - * - * Do ":help uganda" in Vim to read copying and usage conditions. - * Do ":help credits" in Vim to see a list of people who contributed. - * See README.txt for an overview of the Vim source code. - */ - -/* - * crypt.c: Generic encryption support. - */ -#include "vim.h" - -#if defined(FEAT_CRYPT) || defined(PROTO) -/* - * Optional encryption support. - * Mohsin Ahmed, mosh@sasi.com, 1998-09-24 - * Based on zip/crypt sources. - * Refactored by David Leadbeater, 2014. - * - * NOTE FOR USA: Since 2000 exporting this code from the USA is allowed to - * most countries. There are a few exceptions, but that still should not be a - * problem since this code was originally created in Europe and India. - * - * Blowfish addition originally made by Mohsin Ahmed, - * http://www.cs.albany.edu/~mosh 2010-03-14 - * Based on blowfish by Bruce Schneier (http://www.schneier.com/blowfish.html) - * and sha256 by Christophe Devine. - */ - -typedef struct { - char *name; // encryption name as used in 'cryptmethod' - char *magic; // magic bytes stored in file header - int salt_len; // length of salt, or 0 when not using salt - int seed_len; // length of seed, or 0 when not using seed - int add_len; // additional length in the header needed for storing - // custom data -#ifdef CRYPT_NOT_INPLACE - int works_inplace; // encryption/decryption can be done in-place -#endif - int whole_undofile; // whole undo file is encrypted - - // Optional function pointer for a self-test. - int (*self_test_fn)(void); - - // Function pointer for initializing encryption/decryption. - int (* init_fn)(cryptstate_T *state, char_u *key, crypt_arg_T *arg); - - // Function pointers for encoding/decoding from one buffer into another. - // Optional, however, these or the _buffer ones should be configured. - void (*encode_fn)(cryptstate_T *state, char_u *from, size_t len, - char_u *to, int last); - void (*decode_fn)(cryptstate_T *state, char_u *from, size_t len, - char_u *to, int last); - - // Function pointers for encoding and decoding, can buffer data if needed. - // Optional (however, these or the above should be configured). - long (*encode_buffer_fn)(cryptstate_T *state, char_u *from, size_t len, - char_u **newptr, int last); - long (*decode_buffer_fn)(cryptstate_T *state, char_u *from, size_t len, - char_u **newptr, int last); - - // Function pointers for in-place encoding and decoding, used for - // crypt_*_inplace(). "from" and "to" arguments will be equal. - // These may be the same as decode_fn and encode_fn above, however an - // algorithm may implement them in a way that is not interchangeable with - // the crypt_(en|de)code() interface (for example because it wishes to add - // padding to files). - // This method is used for swap and undo files which have a rigid format. - void (*encode_inplace_fn)(cryptstate_T *state, char_u *p1, size_t len, - char_u *p2, int last); - void (*decode_inplace_fn)(cryptstate_T *state, char_u *p1, size_t len, - char_u *p2, int last); -} cryptmethod_T; - -static int crypt_sodium_init_(cryptstate_T *state, char_u *key, crypt_arg_T *arg); -static long crypt_sodium_buffer_decode(cryptstate_T *state, char_u *from, size_t len, char_u **buf_out, int last); -static long crypt_sodium_buffer_encode(cryptstate_T *state, char_u *from, size_t len, char_u **buf_out, int last); -#if defined(FEAT_EVAL) && defined(FEAT_SODIUM) -static void crypt_sodium_report_hash_params(unsigned long long opslimit, unsigned long long ops_def, size_t memlimit, size_t mem_def, int alg, int alg_def); -#endif - -// index is method_nr of cryptstate_T, CRYPT_M_* -static cryptmethod_T cryptmethods[CRYPT_M_COUNT] = { - // PK_Zip; very weak - { - "zip", - "VimCrypt~01!", - 0, - 0, - 0, -#ifdef CRYPT_NOT_INPLACE - TRUE, -#endif - FALSE, - NULL, - crypt_zip_init, - crypt_zip_encode, crypt_zip_decode, - NULL, NULL, - crypt_zip_encode, crypt_zip_decode, - }, - - // Blowfish/CFB + SHA-256 custom key derivation; implementation issues. - { - "blowfish", - "VimCrypt~02!", - 8, - 8, - 0, -#ifdef CRYPT_NOT_INPLACE - TRUE, -#endif - FALSE, - blowfish_self_test, - crypt_blowfish_init, - crypt_blowfish_encode, crypt_blowfish_decode, - NULL, NULL, - crypt_blowfish_encode, crypt_blowfish_decode, - }, - - // Blowfish/CFB + SHA-256 custom key derivation; fixed. - { - "blowfish2", - "VimCrypt~03!", - 8, - 8, - 0, -#ifdef CRYPT_NOT_INPLACE - TRUE, -#endif - TRUE, - blowfish_self_test, - crypt_blowfish_init, - crypt_blowfish_encode, crypt_blowfish_decode, - NULL, NULL, - crypt_blowfish_encode, crypt_blowfish_decode, - }, - - // XChaCha20 using libsodium; implementation issues - { - "xchacha20", - "VimCrypt~04!", -#ifdef FEAT_SODIUM - crypto_pwhash_argon2id_SALTBYTES, // 16 -#else - 16, -#endif - 8, - 0, -#ifdef CRYPT_NOT_INPLACE - FALSE, -#endif - FALSE, - NULL, - crypt_sodium_init_, - NULL, NULL, - crypt_sodium_buffer_encode, crypt_sodium_buffer_decode, - NULL, NULL, - }, - // XChaCha20 using libsodium; stores parameters in header - { - "xchacha20v2", - "VimCrypt~05!", -#ifdef FEAT_SODIUM - crypto_pwhash_argon2id_SALTBYTES, // 16 -#else - 16, -#endif - 8, - // sizeof(crypto_pwhash_OPSLIMIT_INTERACTIVE + crypto_pwhash_MEMLIMIT_INTERACTIVE + crypto_pwhash_ALG_DEFAULT) - 20, -#ifdef CRYPT_NOT_INPLACE - FALSE, -#endif - FALSE, - NULL, - crypt_sodium_init_, - NULL, NULL, - crypt_sodium_buffer_encode, crypt_sodium_buffer_decode, - NULL, NULL, - }, - - // NOTE: when adding a new method, use some random bytes for the magic key, - // to avoid that a text file is recognized as encrypted. -}; - -#if defined(FEAT_SODIUM) || defined(PROTO) -typedef struct { - size_t count; - unsigned char key[crypto_box_SEEDBYTES]; - // 32, same as crypto_secretstream_xchacha20poly1305_KEYBYTES - crypto_secretstream_xchacha20poly1305_state - state; -} sodium_state_T; - - -# ifdef DYNAMIC_SODIUM -# ifdef MSWIN -# define SODIUM_PROC FARPROC -# define load_dll vimLoadLib -# define symbol_from_dll GetProcAddress -# define close_dll FreeLibrary -# define load_dll_error GetWin32Error -# else -# error Dynamic loading of libsodium is not supported for now. -//# define HINSTANCE void* -//# define SODIUM_PROC void* -//# define load_dll(n) dlopen((n), RTLD_LAZY|RTLD_GLOBAL) -//# define symbol_from_dll dlsym -//# define close_dll dlclose -//# define load_dll_error dlerror -# endif - -# define sodium_init load_sodium -# define sodium_free dll_sodium_free -# define sodium_malloc dll_sodium_malloc -# define sodium_memzero dll_sodium_memzero -# define sodium_mlock dll_sodium_mlock -# define sodium_munlock dll_sodium_munlock -# define crypto_secretstream_xchacha20poly1305_init_push \ - dll_crypto_secretstream_xchacha20poly1305_init_push -# define crypto_secretstream_xchacha20poly1305_push \ - dll_crypto_secretstream_xchacha20poly1305_push -# define crypto_secretstream_xchacha20poly1305_init_pull \ - dll_crypto_secretstream_xchacha20poly1305_init_pull -# define crypto_secretstream_xchacha20poly1305_pull \ - dll_crypto_secretstream_xchacha20poly1305_pull -# define crypto_pwhash dll_crypto_pwhash -# define randombytes_buf dll_randombytes_buf -# define randombytes_random dll_randombytes_random - -static int (*dll_sodium_init)(void) = NULL; -static void (*dll_sodium_free)(void *) = NULL; -static void *(*dll_sodium_malloc)(const size_t) = NULL; -static void (*dll_sodium_memzero)(void * const, const size_t) = NULL; -static int (*dll_sodium_mlock)(void * const, const size_t) = NULL; -static int (*dll_sodium_munlock)(void * const, const size_t) = NULL; -static int (*dll_crypto_secretstream_xchacha20poly1305_init_push) - (crypto_secretstream_xchacha20poly1305_state *state, - unsigned char [], - const unsigned char []) = NULL; -static int (*dll_crypto_secretstream_xchacha20poly1305_push) - (crypto_secretstream_xchacha20poly1305_state *state, - unsigned char *c, unsigned long long *clen_p, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, unsigned char tag) - = NULL; -static int (*dll_crypto_secretstream_xchacha20poly1305_init_pull) - (crypto_secretstream_xchacha20poly1305_state *state, - const unsigned char [], - const unsigned char []) = NULL; -static int (*dll_crypto_secretstream_xchacha20poly1305_pull) - (crypto_secretstream_xchacha20poly1305_state *state, - unsigned char *m, unsigned long long *mlen_p, unsigned char *tag_p, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen) = NULL; -static int (*dll_crypto_pwhash)(unsigned char * const out, - unsigned long long outlen, - const char * const passwd, unsigned long long passwdlen, - const unsigned char * const salt, - unsigned long long opslimit, size_t memlimit, int alg) - = NULL; -static void (*dll_randombytes_buf)(void * const buf, const size_t size); -static uint32_t (*dll_randombytes_random)(void); - -static struct { - const char *name; - SODIUM_PROC *ptr; -} sodium_funcname_table[] = { - {"sodium_init", (SODIUM_PROC*)&dll_sodium_init}, - {"sodium_free", (SODIUM_PROC*)&dll_sodium_free}, - {"sodium_malloc", (SODIUM_PROC*)&dll_sodium_malloc}, - {"sodium_memzero", (SODIUM_PROC*)&dll_sodium_memzero}, - {"sodium_mlock", (SODIUM_PROC*)&dll_sodium_mlock}, - {"sodium_munlock", (SODIUM_PROC*)&dll_sodium_munlock}, - {"crypto_secretstream_xchacha20poly1305_init_push", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_init_push}, - {"crypto_secretstream_xchacha20poly1305_push", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_push}, - {"crypto_secretstream_xchacha20poly1305_init_pull", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_init_pull}, - {"crypto_secretstream_xchacha20poly1305_pull", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_pull}, - {"crypto_pwhash", (SODIUM_PROC*)&dll_crypto_pwhash}, - {"randombytes_buf", (SODIUM_PROC*)&dll_randombytes_buf}, - {"randombytes_random", (SODIUM_PROC*)&dll_randombytes_random}, - {NULL, NULL} -}; - - static int -sodium_runtime_link_init(int verbose) -{ - static HINSTANCE hsodium = NULL; - const char *libname = DYNAMIC_SODIUM_DLL; - int i; - - if (hsodium != NULL) - return OK; - - hsodium = load_dll(libname); - if (hsodium == NULL) - { - if (verbose) - semsg(_(e_could_not_load_library_str_str), libname, load_dll_error()); - return FAIL; - } - - for (i = 0; sodium_funcname_table[i].ptr; ++i) - { - if ((*sodium_funcname_table[i].ptr = symbol_from_dll(hsodium, - sodium_funcname_table[i].name)) == NULL) - { - close_dll(hsodium); - hsodium = NULL; - if (verbose) - semsg(_(e_could_not_load_library_function_str), sodium_funcname_table[i].name); - return FAIL; - } - } - return OK; -} - - static int -load_sodium(void) -{ - if (sodium_runtime_link_init(TRUE) == FAIL) - return -1; - return dll_sodium_init(); -} -# endif - -# if defined(DYNAMIC_SODIUM) || defined(PROTO) - int -sodium_enabled(int verbose) -{ - return sodium_runtime_link_init(verbose) == OK; -} -# endif -#endif - -#define CRYPT_MAGIC_LEN 12 // cannot change -static char crypt_magic_head[] = "VimCrypt~"; - -/* - * Return int value for crypt method name. - * 0 for "zip", the old method. Also for any non-valid value. - * 1 for "blowfish". - * 2 for "blowfish2". - */ - int -crypt_method_nr_from_name(char_u *name) -{ - int i; - - for (i = 0; i < CRYPT_M_COUNT; ++i) - if (STRCMP(name, cryptmethods[i].name) == 0) - return i; - return 0; -} - -/* - * Get the crypt method used for a file from "ptr[len]", the magic text at the - * start of the file. - * Returns -1 when no encryption used. - */ - int -crypt_method_nr_from_magic(char *ptr, int len) -{ - int i; - - if (len < CRYPT_MAGIC_LEN) - return -1; - - for (i = 0; i < CRYPT_M_COUNT; i++) - if (memcmp(ptr, cryptmethods[i].magic, CRYPT_MAGIC_LEN) == 0) - return i; - - i = (int)STRLEN(crypt_magic_head); - if (len >= i && memcmp(ptr, crypt_magic_head, i) == 0) - emsg(_(e_file_is_encrypted_with_unknown_method)); - - return -1; -} - -#ifdef CRYPT_NOT_INPLACE -/* - * Return TRUE if the crypt method for "method_nr" can be done in-place. - */ - int -crypt_works_inplace(cryptstate_T *state) -{ - return cryptmethods[state->method_nr].works_inplace; -} -#endif - -/* - * Get the crypt method for buffer "buf" as a number. - */ - int -crypt_get_method_nr(buf_T *buf) -{ - return crypt_method_nr_from_name(*buf->b_p_cm == NUL ? p_cm : buf->b_p_cm); -} - -/* - * Returns True for Sodium Encryption. - */ - int -crypt_method_is_sodium(int method) -{ - return method == CRYPT_M_SOD || method == CRYPT_M_SOD2; -} - -/* - * Return TRUE when the buffer uses an encryption method that encrypts the - * whole undo file, not only the text. - */ - int -crypt_whole_undofile(int method_nr) -{ - return cryptmethods[method_nr].whole_undofile; -} - -/* - * Get crypt method specific length of the file header in bytes. - */ - int -crypt_get_header_len(int method_nr) -{ - return CRYPT_MAGIC_LEN - + cryptmethods[method_nr].salt_len - + cryptmethods[method_nr].seed_len - + cryptmethods[method_nr].add_len; -} - - -#if defined(FEAT_SODIUM) || defined(PROTO) -/* - * Get maximum crypt method specific length of the file header in bytes. - */ - int -crypt_get_max_header_len(void) -{ - int i; - int max = 0; - int temp = 0; - - for (i = 0; i < CRYPT_M_COUNT; ++i) - { - temp = crypt_get_header_len(i); - if (temp > max) - max = temp; - } - return max; -} -#endif - -/* - * Set the crypt method for buffer "buf" to "method_nr" using the int value as - * returned by crypt_method_nr_from_name(). - */ - void -crypt_set_cm_option(buf_T *buf, int method_nr) -{ - free_string_option(buf->b_p_cm); - buf->b_p_cm = vim_strsave((char_u *)cryptmethods[method_nr].name); -} - -/* - * If the crypt method for the current buffer has a self-test, run it and - * return OK/FAIL. - */ - int -crypt_self_test(void) -{ - int method_nr = crypt_get_method_nr(curbuf); - - if (cryptmethods[method_nr].self_test_fn == NULL) - return OK; - return cryptmethods[method_nr].self_test_fn(); -} - -/* - * Allocate a crypt state and initialize it. - * Return NULL for failure. - */ - cryptstate_T * -crypt_create( - int method_nr, - char_u *key, - crypt_arg_T *crypt_arg) -{ - cryptstate_T *state = ALLOC_ONE(cryptstate_T); - - if (state == NULL) - return state; - - state->method_nr = method_nr; - if (cryptmethods[method_nr].init_fn(state, key, crypt_arg) == FAIL) - { - vim_free(state); - return NULL; - } - return state; -} - -/* - * Allocate a crypt state from a file header and initialize it. - * Assumes that header contains at least the number of bytes that - * crypt_get_header_len() returns for "method_nr". - */ - cryptstate_T * -crypt_create_from_header( - int method_nr, - char_u *key, - char_u *header) -{ - crypt_arg_T arg; - - CLEAR_FIELD(arg); - arg.cat_init_from_file = TRUE; - - arg.cat_salt_len = cryptmethods[method_nr].salt_len; - arg.cat_seed_len = cryptmethods[method_nr].seed_len; - arg.cat_add_len = cryptmethods[method_nr].add_len; - if (arg.cat_salt_len > 0) - arg.cat_salt = header + CRYPT_MAGIC_LEN; - if (arg.cat_seed_len > 0) - arg.cat_seed = header + CRYPT_MAGIC_LEN + arg.cat_salt_len; - if (arg.cat_add_len > 0) - arg.cat_add = header + CRYPT_MAGIC_LEN - + arg.cat_salt_len + arg.cat_seed_len; - - return crypt_create(method_nr, key, &arg); -} - -/* - * Read the crypt method specific header data from "fp". - * Return an allocated cryptstate_T or NULL on error. - */ - cryptstate_T * -crypt_create_from_file(FILE *fp, char_u *key) -{ - int method_nr; - int header_len; - char magic_buffer[CRYPT_MAGIC_LEN]; - char_u *buffer; - cryptstate_T *state; - - if (fread(magic_buffer, CRYPT_MAGIC_LEN, 1, fp) != 1) - return NULL; - method_nr = crypt_method_nr_from_magic(magic_buffer, CRYPT_MAGIC_LEN); - if (method_nr < 0) - return NULL; - - header_len = crypt_get_header_len(method_nr); - if ((buffer = alloc(header_len)) == NULL) - return NULL; - mch_memmove(buffer, magic_buffer, CRYPT_MAGIC_LEN); - if (header_len > CRYPT_MAGIC_LEN - && fread(buffer + CRYPT_MAGIC_LEN, - header_len - CRYPT_MAGIC_LEN, 1, fp) != 1) - { - vim_free(buffer); - return NULL; - } - - state = crypt_create_from_header(method_nr, key, buffer); - vim_free(buffer); - return state; -} - -/* - * Allocate a cryptstate_T for writing and initialize it with "key". - * Allocates and fills in the header and stores it in "header", setting - * "header_len". The header may include salt and seed, depending on - * cryptmethod. Caller must free header. - * Returns the state or NULL on failure. - */ - cryptstate_T * -crypt_create_for_writing( - int method_nr, - char_u *key, - char_u **header, - int *header_len) -{ - int len = crypt_get_header_len(method_nr); - crypt_arg_T arg; - cryptstate_T *state; - - CLEAR_FIELD(arg); - arg.cat_salt_len = cryptmethods[method_nr].salt_len; - arg.cat_seed_len = cryptmethods[method_nr].seed_len; - arg.cat_add_len = cryptmethods[method_nr].add_len; - arg.cat_init_from_file = FALSE; - - *header_len = len; - *header = alloc(len); - if (*header == NULL) - return NULL; - - mch_memmove(*header, cryptmethods[method_nr].magic, CRYPT_MAGIC_LEN); - if (arg.cat_salt_len > 0 || arg.cat_seed_len > 0 || arg.cat_add_len > 0) - { - if (arg.cat_salt_len > 0) - arg.cat_salt = *header + CRYPT_MAGIC_LEN; - if (arg.cat_seed_len > 0) - arg.cat_seed = *header + CRYPT_MAGIC_LEN + arg.cat_salt_len; - if (arg.cat_add_len > 0) - arg.cat_add = *header + CRYPT_MAGIC_LEN - + arg.cat_salt_len + arg.cat_seed_len; - - // TODO: Should this be crypt method specific? (Probably not worth - // it). sha2_seed is pretty bad for large amounts of entropy, so make - // that into something which is suitable for anything. -#ifdef FEAT_SODIUM - if (sodium_init() >= 0) - { - if (arg.cat_salt_len > 0) - randombytes_buf(arg.cat_salt, arg.cat_salt_len); - if (arg.cat_seed_len > 0) - randombytes_buf(arg.cat_seed, arg.cat_seed_len); - } - else -#endif - sha2_seed(arg.cat_salt, arg.cat_salt_len, arg.cat_seed, arg.cat_seed_len); - } - state = crypt_create(method_nr, key, &arg); - if (state == NULL) - VIM_CLEAR(*header); - return state; -} - -/* - * Free the crypt state. - */ - void -crypt_free_state(cryptstate_T *state) -{ -#ifdef FEAT_SODIUM - if (crypt_method_is_sodium(state->method_nr)) - { - sodium_munlock(((sodium_state_T *)state->method_state)->key, - crypto_box_SEEDBYTES); - sodium_memzero(state->method_state, sizeof(sodium_state_T)); - sodium_free(state->method_state); - } - else -#endif - vim_free(state->method_state); - vim_free(state); -} - -#ifdef CRYPT_NOT_INPLACE -/* - * Encode "from[len]" and store the result in a newly allocated buffer, which - * is stored in "newptr". - * Return number of bytes in "newptr", 0 for need more or -1 on error. - */ - long -crypt_encode_alloc( - cryptstate_T *state, - char_u *from, - size_t len, - char_u **newptr, - int last) -{ - cryptmethod_T *method = &cryptmethods[state->method_nr]; - - if (method->encode_buffer_fn != NULL) - // Has buffer function, pass through. - return method->encode_buffer_fn(state, from, len, newptr, last); - if (len == 0) - // Not buffering, just return EOF. - return (long)len; - - *newptr = alloc(len + 50); - if (*newptr == NULL) - return -1; - method->encode_fn(state, from, len, *newptr, last); - return (long)len; -} - -/* - * Decrypt "ptr[len]" and store the result in a newly allocated buffer, which - * is stored in "newptr". - * Return number of bytes in "newptr", 0 for need more or -1 on error. - */ - long -crypt_decode_alloc( - cryptstate_T *state, - char_u *ptr, - long len, - char_u **newptr, - int last) -{ - cryptmethod_T *method = &cryptmethods[state->method_nr]; - - if (method->decode_buffer_fn != NULL) - // Has buffer function, pass through. - return method->decode_buffer_fn(state, ptr, len, newptr, last); - - if (len == 0) - // Not buffering, just return EOF. - return len; - - *newptr = alloc(len); - if (*newptr == NULL) - return -1; - method->decode_fn(state, ptr, len, *newptr, last); - return len; -} -#endif - -/* - * Encrypting "from[len]" into "to[len]". - */ - void -crypt_encode( - cryptstate_T *state, - char_u *from, - size_t len, - char_u *to, - int last) -{ - cryptmethods[state->method_nr].encode_fn(state, from, len, to, last); -} - -#if 0 // unused -/* - * decrypting "from[len]" into "to[len]". - */ - void -crypt_decode( - cryptstate_T *state, - char_u *from, - size_t len, - char_u *to, - int last) -{ - cryptmethods[state->method_nr].decode_fn(state, from, len, to, last); -} -#endif - -/* - * Simple inplace encryption, modifies "buf[len]" in place. - */ - void -crypt_encode_inplace( - cryptstate_T *state, - char_u *buf, - size_t len, - int last) -{ - cryptmethods[state->method_nr].encode_inplace_fn(state, buf, len, - buf, last); -} - -/* - * Simple inplace decryption, modifies "buf[len]" in place. - */ - void -crypt_decode_inplace( - cryptstate_T *state, - char_u *buf, - size_t len, - int last) -{ - cryptmethods[state->method_nr].decode_inplace_fn(state, buf, len, - buf, last); -} - -/* - * Free an allocated crypt key. Clear the text to make sure it doesn't stay - * in memory anywhere. - */ - void -crypt_free_key(char_u *key) -{ - char_u *p; - - if (key != NULL) - { - for (p = key; *p != NUL; ++p) - *p = 0; - vim_free(key); - } -} - -/* - * Check the crypt method and give a warning if it's outdated. - */ - void -crypt_check_method(int method) -{ - if (method < CRYPT_M_BF2 || method == CRYPT_M_SOD) - { - msg_scroll = TRUE; - msg(_("Warning: Using a weak encryption method; see :help 'cm'")); - } -} - -/* - * If the crypt method for "curbuf" does not support encrypting the swap file - * then disable the swap file. - */ - void -crypt_check_swapfile_curbuf(void) -{ -#ifdef FEAT_SODIUM - int method = crypt_get_method_nr(curbuf); - if (crypt_method_is_sodium(method)) - { - // encryption uses padding and MAC, that does not work very well with - // swap and undo files, so disable them - mf_close_file(curbuf, TRUE); // remove the swap file - set_option_value_give_err((char_u *)"swf", 0, NULL, OPT_LOCAL); - msg_scroll = TRUE; - msg(_("Note: Encryption of swapfile not supported, disabling swap file")); - } -#endif -} - - void -crypt_check_current_method(void) -{ - crypt_check_method(crypt_get_method_nr(curbuf)); -} - -/* - * Ask the user for a crypt key. - * When "store" is TRUE, the new key is stored in the 'key' option, and the - * 'key' option value is returned: Don't free it. - * When "store" is FALSE, the typed key is returned in allocated memory. - * Returns NULL on failure. - */ - char_u * -crypt_get_key( - int store, - int twice) // Ask for the key twice. -{ - char_u *p1, *p2 = NULL; - int round; - - for (round = 0; ; ++round) - { - cmdline_star = TRUE; - cmdline_row = msg_row; - p1 = getcmdline_prompt(NUL, round == 0 - ? (char_u *)_("Enter encryption key: ") - : (char_u *)_("Enter same key again: "), 0, EXPAND_NOTHING, - NULL); - cmdline_star = FALSE; - - if (p1 == NULL) - break; - - if (round == twice) - { - if (p2 != NULL && STRCMP(p1, p2) != 0) - { - msg(_("Keys don't match!")); - crypt_free_key(p1); - crypt_free_key(p2); - p2 = NULL; - round = -1; // do it again - continue; - } - - if (store) - { - set_option_value_give_err((char_u *)"key", 0L, p1, OPT_LOCAL); - crypt_free_key(p1); - p1 = curbuf->b_p_key; - crypt_check_swapfile_curbuf(); - } - break; - } - p2 = p1; - } - - // since the user typed this, no need to wait for return - if (!crypt_method_is_sodium(crypt_get_method_nr(curbuf))) - { - if (msg_didout) - msg_putchar('\n'); - need_wait_return = FALSE; - msg_didout = FALSE; - } - - crypt_free_key(p2); - return p1; -} - - -/* - * Append a message to IObuff for the encryption/decryption method being used. - */ - void -crypt_append_msg( - buf_T *buf) -{ - if (crypt_get_method_nr(buf) == 0) - STRCAT(IObuff, _("[crypted]")); - else - { - STRCAT(IObuff, "["); - STRCAT(IObuff, *buf->b_p_cm == NUL ? p_cm : buf->b_p_cm); - STRCAT(IObuff, "]"); - } -} - - static int -crypt_sodium_init_( - cryptstate_T *state UNUSED, - char_u *key UNUSED, - crypt_arg_T *arg UNUSED) -{ -# ifdef FEAT_SODIUM - // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES - unsigned char dkey[crypto_box_SEEDBYTES]; // 32 - sodium_state_T *sd_state; - int retval = 0; - unsigned long long opslimit; - unsigned long long memlimit; - int alg; - - if (sodium_init() < 0) - return FAIL; - - sd_state = (sodium_state_T *)sodium_malloc(sizeof(sodium_state_T)); - sodium_memzero(sd_state, sizeof(sodium_state_T)); - - if ((state->method_nr == CRYPT_M_SOD2 && !arg->cat_init_from_file) - || state->method_nr == CRYPT_M_SOD) - { - opslimit = crypto_pwhash_OPSLIMIT_INTERACTIVE; - memlimit = crypto_pwhash_MEMLIMIT_INTERACTIVE; - alg = crypto_pwhash_ALG_DEFAULT; - -#if 0 - // For testing - if (state->method_nr == CRYPT_M_SOD2) - { - opslimit = crypto_pwhash_OPSLIMIT_MODERATE; - memlimit = crypto_pwhash_MEMLIMIT_MODERATE; - } -#endif - - // derive a key from the password - if (crypto_pwhash(dkey, sizeof(dkey), (const char *)key, STRLEN(key), - arg->cat_salt, opslimit, (size_t)memlimit, alg) != 0) - { - // out of memory - sodium_free(sd_state); - return FAIL; - } - memcpy(sd_state->key, dkey, crypto_box_SEEDBYTES); - - retval += sodium_mlock(sd_state->key, crypto_box_SEEDBYTES); - retval += sodium_mlock(key, STRLEN(key)); - - if (retval < 0) - { - emsg(_(e_encryption_sodium_mlock_failed)); - sodium_free(sd_state); - return FAIL; - } - // "cat_add" should not be NULL, check anyway for safety - if (state->method_nr == CRYPT_M_SOD2 && arg->cat_add != NULL) - { - memcpy(arg->cat_add, &opslimit, sizeof(opslimit)); - arg->cat_add += sizeof(opslimit); - - memcpy(arg->cat_add, &memlimit, sizeof(memlimit)); - arg->cat_add += sizeof(memlimit); - - memcpy(arg->cat_add, &alg, sizeof(alg)); - arg->cat_add += sizeof(alg); - } - } - else - { - // Reading parameters from file - if (arg->cat_add_len - < (int)(sizeof(opslimit) + sizeof(memlimit) + sizeof(alg))) - { - sodium_free(sd_state); - return FAIL; - } - - // derive the key from the file header - memcpy(&opslimit, arg->cat_add, sizeof(opslimit)); - arg->cat_add += sizeof(opslimit); - - memcpy(&memlimit, arg->cat_add, sizeof(memlimit)); - arg->cat_add += sizeof(memlimit); - - memcpy(&alg, arg->cat_add, sizeof(alg)); - arg->cat_add += sizeof(alg); - -#ifdef FEAT_EVAL - crypt_sodium_report_hash_params(opslimit, - crypto_pwhash_OPSLIMIT_INTERACTIVE, - (size_t)memlimit, crypto_pwhash_MEMLIMIT_INTERACTIVE, - alg, crypto_pwhash_ALG_DEFAULT); -#endif - - if (crypto_pwhash(dkey, sizeof(dkey), (const char *)key, STRLEN(key), - arg->cat_salt, opslimit, (size_t)memlimit, alg) != 0) - { - // out of memory - sodium_free(sd_state); - return FAIL; - } - memcpy(sd_state->key, dkey, crypto_box_SEEDBYTES); - - retval += sodium_mlock(sd_state->key, crypto_box_SEEDBYTES); - retval += sodium_mlock(key, STRLEN(key)); - - if (retval < 0) - { - emsg(_(e_encryption_sodium_mlock_failed)); - sodium_free(sd_state); - return FAIL; - } - } - sd_state->count = 0; - state->method_state = sd_state; - - return OK; -# else - emsg(_(e_libsodium_not_built_in)); - return FAIL; -# endif -} - -/* - * Encrypt "from[len]" into "to[len]". - * "from" and "to" can be equal to encrypt in place. - * Call needs to ensure that there is enough space in to (for the header) - */ -#if 0 // Currently unused - void -crypt_sodium_encode( - cryptstate_T *state UNUSED, - char_u *from UNUSED, - size_t len UNUSED, - char_u *to UNUSED, - int last UNUSED) -{ -# ifdef FEAT_SODIUM - // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES - sodium_state_T *sod_st = state->method_state; - unsigned char tag = last - ? crypto_secretstream_xchacha20poly1305_TAG_FINAL : 0; - - if (sod_st->count == 0) - { - if (len <= crypto_secretstream_xchacha20poly1305_HEADERBYTES) - { - emsg(_(e_libsodium_cannot_encrypt_header)); - return; - } - crypto_secretstream_xchacha20poly1305_init_push(&sod_st->state, - to, sod_st->key); - to += crypto_secretstream_xchacha20poly1305_HEADERBYTES; - } - - if (sod_st->count && len <= crypto_secretstream_xchacha20poly1305_ABYTES) - { - emsg(_(e_libsodium_cannot_encrypt_buffer)); - return; - } - - crypto_secretstream_xchacha20poly1305_push(&sod_st->state, to, NULL, - from, len, NULL, 0, tag); - - sod_st->count++; -# endif -} -#endif - -/* - * Decrypt "from[len]" into "to[len]". - * "from" and "to" can be equal to encrypt in place. - */ -#if 0 // Currently unused - void -crypt_sodium_decode( - cryptstate_T *state UNUSED, - char_u *from UNUSED, - size_t len UNUSED, - char_u *to UNUSED, - int last UNUSED) -{ -# ifdef FEAT_SODIUM - // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES - sodium_state_T *sod_st = state->method_state; - unsigned char tag; - unsigned long long buf_len; - char_u *p1 = from; - char_u *p2 = to; - char_u *buf_out; - - if (sod_st->count == 0 - && len <= crypto_secretstream_xchacha20poly1305_HEADERBYTES) - { - emsg(_(e_libsodium_cannot_decrypt_header)); - return; - } - - buf_out = (char_u *)alloc(len); - - if (buf_out == NULL) - { - emsg(_(e_libsodium_cannot_allocate_buffer)); - return; - } - if (sod_st->count == 0) - { - if (crypto_secretstream_xchacha20poly1305_init_pull( - &sod_st->state, from, sod_st->key) != 0) - { - emsg(_(e_libsodium_decryption_failed_header_incomplete)); - goto fail; - } - - from += crypto_secretstream_xchacha20poly1305_HEADERBYTES; - len -= crypto_secretstream_xchacha20poly1305_HEADERBYTES; - - if (p1 == p2) - to += crypto_secretstream_xchacha20poly1305_HEADERBYTES; - } - - if (sod_st->count && len <= crypto_secretstream_xchacha20poly1305_ABYTES) - { - emsg(_(e_libsodium_cannot_decrypt_buffer)); - goto fail; - } - if (crypto_secretstream_xchacha20poly1305_pull(&sod_st->state, - buf_out, &buf_len, &tag, from, len, NULL, 0) != 0) - { - emsg(_(e_libsodium_decryption_failed)); - goto fail; - } - sod_st->count++; - - if (tag == crypto_secretstream_xchacha20poly1305_TAG_FINAL && !last) - { - emsg(_(e_libsodium_decryption_failed_premature)); - goto fail; - } - if (p1 == p2) - mch_memmove(p2, buf_out, buf_len); - -fail: - vim_free(buf_out); -# endif -} -#endif - -/* - * Encrypt "from[len]" into "to[len]". - * "from" and "to" can be equal to encrypt in place. - */ - static long -crypt_sodium_buffer_encode( - cryptstate_T *state UNUSED, - char_u *from UNUSED, - size_t len UNUSED, - char_u **buf_out UNUSED, - int last UNUSED) -{ -# ifdef FEAT_SODIUM - // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES - unsigned long long out_len; - char_u *ptr; - unsigned char tag = last - ? crypto_secretstream_xchacha20poly1305_TAG_FINAL : 0; - int length; - sodium_state_T *sod_st = state->method_state; - int first = (sod_st->count == 0); - - length = (int)len + crypto_secretstream_xchacha20poly1305_ABYTES - + (first ? crypto_secretstream_xchacha20poly1305_HEADERBYTES : 0); - *buf_out = alloc_clear(length); - if (*buf_out == NULL) - { - emsg(_(e_libsodium_cannot_allocate_buffer)); - return -1; - } - ptr = *buf_out; - - if (first) - { - crypto_secretstream_xchacha20poly1305_init_push(&sod_st->state, - ptr, sod_st->key); - ptr += crypto_secretstream_xchacha20poly1305_HEADERBYTES; - } - - crypto_secretstream_xchacha20poly1305_push(&sod_st->state, ptr, - &out_len, from, len, NULL, 0, tag); - - sod_st->count++; - return out_len + (first - ? crypto_secretstream_xchacha20poly1305_HEADERBYTES : 0); -# else - return -1; -# endif -} - -/* - * Decrypt "from[len]" into "to[len]". - * "from" and "to" can be equal to encrypt in place. - */ - static long -crypt_sodium_buffer_decode( - cryptstate_T *state UNUSED, - char_u *from UNUSED, - size_t len UNUSED, - char_u **buf_out UNUSED, - int last UNUSED) -{ -# ifdef FEAT_SODIUM - // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES - sodium_state_T *sod_st = state->method_state; - unsigned char tag; - unsigned long long out_len; - - if (sod_st->count == 0 - && state->method_nr == CRYPT_M_SOD - && len > WRITEBUFSIZE - + crypto_secretstream_xchacha20poly1305_HEADERBYTES - + crypto_secretstream_xchacha20poly1305_ABYTES) - len -= cryptmethods[CRYPT_M_SOD2].add_len; - - *buf_out = alloc_clear(len); - if (*buf_out == NULL) - { - emsg(_(e_libsodium_cannot_allocate_buffer)); - return -1; - } - - if (sod_st->count == 0) - { - if (crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state, - from, sod_st->key) != 0) - { - emsg(_(e_libsodium_decryption_failed_header_incomplete)); - return -1; - } - from += crypto_secretstream_xchacha20poly1305_HEADERBYTES; - len -= crypto_secretstream_xchacha20poly1305_HEADERBYTES; - sod_st->count++; - } - if (crypto_secretstream_xchacha20poly1305_pull(&sod_st->state, - *buf_out, &out_len, &tag, from, len, NULL, 0) != 0) - { - emsg(_(e_libsodium_decryption_failed)); - return -1; - } - - if (tag == crypto_secretstream_xchacha20poly1305_TAG_FINAL && !last) - emsg(_(e_libsodium_decryption_failed_premature)); - return (long) out_len; -# else - return -1; -# endif -} - -# if defined(FEAT_SODIUM) || defined(PROTO) - int -crypt_sodium_munlock(void *const addr, const size_t len) -{ - return sodium_munlock(addr, len); -} - - void -crypt_sodium_randombytes_buf(void *const buf, const size_t size) -{ - randombytes_buf(buf, size); -} - - int -crypt_sodium_init(void) -{ - return sodium_init(); -} - - uint32_t -crypt_sodium_randombytes_random(void) -{ - return randombytes_random(); -} - -#if defined(FEAT_EVAL) || defined(PROTO) - static void -crypt_sodium_report_hash_params( - unsigned long long opslimit, - unsigned long long ops_def, - size_t memlimit, - size_t mem_def, - int alg, - int alg_def) -{ - if (p_verbose > 0) - { - verbose_enter(); - if (opslimit != ops_def) - smsg(_("xchacha20v2: using custom opslimit \"%llu\" for Key derivation."), opslimit); - else - smsg(_("xchacha20v2: using default opslimit \"%llu\" for Key derivation."), opslimit); - if (memlimit != mem_def) - smsg(_("xchacha20v2: using custom memlimit \"%lu\" for Key derivation."), (unsigned long)memlimit); - else - smsg(_("xchacha20v2: using default memlimit \"%lu\" for Key derivation."), (unsigned long)memlimit); - if (alg != alg_def) - smsg(_("xchacha20v2: using custom algorithm \"%d\" for Key derivation."), alg); - else - smsg(_("xchacha20v2: using default algorithm \"%d\" for Key derivation."), alg); - verbose_leave(); - } -} -#endif -# endif - -#endif // FEAT_CRYPT +/* vi:set ts=8 sts=4 sw=4 noet: + * + * VIM - Vi IMproved by Bram Moolenaar + * + * Do ":help uganda" in Vim to read copying and usage conditions. + * Do ":help credits" in Vim to see a list of people who contributed. + * See README.txt for an overview of the Vim source code. + */ + +/* + * crypt.c: Generic encryption support. + */ +#include "vim.h" + +#if defined(FEAT_CRYPT) || defined(PROTO) +/* + * Optional encryption support. + * Mohsin Ahmed, mosh@sasi.com, 1998-09-24 + * Based on zip/crypt sources. + * Refactored by David Leadbeater, 2014. + * + * NOTE FOR USA: Since 2000 exporting this code from the USA is allowed to + * most countries. There are a few exceptions, but that still should not be a + * problem since this code was originally created in Europe and India. + * + * Blowfish addition originally made by Mohsin Ahmed, + * http://www.cs.albany.edu/~mosh 2010-03-14 + * Based on blowfish by Bruce Schneier (http://www.schneier.com/blowfish.html) + * and sha256 by Christophe Devine. + */ + +typedef struct { + char *name; // encryption name as used in 'cryptmethod' + char *magic; // magic bytes stored in file header + int salt_len; // length of salt, or 0 when not using salt + int seed_len; // length of seed, or 0 when not using seed + int add_len; // additional length in the header needed for storing + // custom data +#ifdef CRYPT_NOT_INPLACE + int works_inplace; // encryption/decryption can be done in-place +#endif + int whole_undofile; // whole undo file is encrypted + + // Optional function pointer for a self-test. + int (*self_test_fn)(void); + + // Function pointer for initializing encryption/decryption. + int (* init_fn)(cryptstate_T *state, char_u *key, crypt_arg_T *arg); + + // Function pointers for encoding/decoding from one buffer into another. + // Optional, however, these or the _buffer ones should be configured. + void (*encode_fn)(cryptstate_T *state, char_u *from, size_t len, + char_u *to, int last); + void (*decode_fn)(cryptstate_T *state, char_u *from, size_t len, + char_u *to, int last); + + // Function pointers for encoding and decoding, can buffer data if needed. + // Optional (however, these or the above should be configured). + long (*encode_buffer_fn)(cryptstate_T *state, char_u *from, size_t len, + char_u **newptr, int last); + long (*decode_buffer_fn)(cryptstate_T *state, char_u *from, size_t len, + char_u **newptr, int last); + + // Function pointers for in-place encoding and decoding, used for + // crypt_*_inplace(). "from" and "to" arguments will be equal. + // These may be the same as decode_fn and encode_fn above, however an + // algorithm may implement them in a way that is not interchangeable with + // the crypt_(en|de)code() interface (for example because it wishes to add + // padding to files). + // This method is used for swap and undo files which have a rigid format. + void (*encode_inplace_fn)(cryptstate_T *state, char_u *p1, size_t len, + char_u *p2, int last); + void (*decode_inplace_fn)(cryptstate_T *state, char_u *p1, size_t len, + char_u *p2, int last); +} cryptmethod_T; + +static int crypt_sodium_init_(cryptstate_T *state, char_u *key, crypt_arg_T *arg); +static long crypt_sodium_buffer_decode(cryptstate_T *state, char_u *from, size_t len, char_u **buf_out, int last); +static long crypt_sodium_buffer_encode(cryptstate_T *state, char_u *from, size_t len, char_u **buf_out, int last); +#if defined(FEAT_EVAL) && defined(FEAT_SODIUM) +static void crypt_sodium_report_hash_params(unsigned long long opslimit, unsigned long long ops_def, size_t memlimit, size_t mem_def, int alg, int alg_def); +#endif + +// index is method_nr of cryptstate_T, CRYPT_M_* +static cryptmethod_T cryptmethods[CRYPT_M_COUNT] = { + // PK_Zip; very weak + { + "zip", + "VimCrypt~01!", + 0, + 0, + 0, +#ifdef CRYPT_NOT_INPLACE + TRUE, +#endif + FALSE, + NULL, + crypt_zip_init, + crypt_zip_encode, crypt_zip_decode, + NULL, NULL, + crypt_zip_encode, crypt_zip_decode, + }, + + // Blowfish/CFB + SHA-256 custom key derivation; implementation issues. + { + "blowfish", + "VimCrypt~02!", + 8, + 8, + 0, +#ifdef CRYPT_NOT_INPLACE + TRUE, +#endif + FALSE, + blowfish_self_test, + crypt_blowfish_init, + crypt_blowfish_encode, crypt_blowfish_decode, + NULL, NULL, + crypt_blowfish_encode, crypt_blowfish_decode, + }, + + // Blowfish/CFB + SHA-256 custom key derivation; fixed. + { + "blowfish2", + "VimCrypt~03!", + 8, + 8, + 0, +#ifdef CRYPT_NOT_INPLACE + TRUE, +#endif + TRUE, + blowfish_self_test, + crypt_blowfish_init, + crypt_blowfish_encode, crypt_blowfish_decode, + NULL, NULL, + crypt_blowfish_encode, crypt_blowfish_decode, + }, + + // XChaCha20 using libsodium; implementation issues + { + "xchacha20", + "VimCrypt~04!", +#ifdef FEAT_SODIUM + crypto_pwhash_argon2id_SALTBYTES, // 16 +#else + 16, +#endif + 8, + 0, +#ifdef CRYPT_NOT_INPLACE + FALSE, +#endif + FALSE, + NULL, + crypt_sodium_init_, + NULL, NULL, + crypt_sodium_buffer_encode, crypt_sodium_buffer_decode, + NULL, NULL, + }, + // XChaCha20 using libsodium; stores parameters in header + { + "xchacha20v2", + "VimCrypt~05!", +#ifdef FEAT_SODIUM + crypto_pwhash_argon2id_SALTBYTES, // 16 +#else + 16, +#endif + 8, + // sizeof(crypto_pwhash_OPSLIMIT_INTERACTIVE + crypto_pwhash_MEMLIMIT_INTERACTIVE + crypto_pwhash_ALG_DEFAULT) + 20, +#ifdef CRYPT_NOT_INPLACE + FALSE, +#endif + FALSE, + NULL, + crypt_sodium_init_, + NULL, NULL, + crypt_sodium_buffer_encode, crypt_sodium_buffer_decode, + NULL, NULL, + }, + + // NOTE: when adding a new method, use some random bytes for the magic key, + // to avoid that a text file is recognized as encrypted. +}; + +#if defined(FEAT_SODIUM) || defined(PROTO) +typedef struct { + size_t count; + unsigned char key[crypto_box_SEEDBYTES]; + // 32, same as crypto_secretstream_xchacha20poly1305_KEYBYTES + crypto_secretstream_xchacha20poly1305_state + state; +} sodium_state_T; + + +# ifdef DYNAMIC_SODIUM +# ifdef MSWIN +# define SODIUM_PROC FARPROC +# define load_dll vimLoadLib +# define symbol_from_dll GetProcAddress +# define close_dll FreeLibrary +# define load_dll_error GetWin32Error +# else +# error Dynamic loading of libsodium is not supported for now. +//# define HINSTANCE void* +//# define SODIUM_PROC void* +//# define load_dll(n) dlopen((n), RTLD_LAZY|RTLD_GLOBAL) +//# define symbol_from_dll dlsym +//# define close_dll dlclose +//# define load_dll_error dlerror +# endif + +# define sodium_init load_sodium +# define sodium_free dll_sodium_free +# define sodium_malloc dll_sodium_malloc +# define sodium_memzero dll_sodium_memzero +# define sodium_mlock dll_sodium_mlock +# define sodium_munlock dll_sodium_munlock +# define crypto_secretstream_xchacha20poly1305_init_push \ + dll_crypto_secretstream_xchacha20poly1305_init_push +# define crypto_secretstream_xchacha20poly1305_push \ + dll_crypto_secretstream_xchacha20poly1305_push +# define crypto_secretstream_xchacha20poly1305_init_pull \ + dll_crypto_secretstream_xchacha20poly1305_init_pull +# define crypto_secretstream_xchacha20poly1305_pull \ + dll_crypto_secretstream_xchacha20poly1305_pull +# define crypto_pwhash dll_crypto_pwhash +# define randombytes_buf dll_randombytes_buf +# define randombytes_random dll_randombytes_random + +static int (*dll_sodium_init)(void) = NULL; +static void (*dll_sodium_free)(void *) = NULL; +static void *(*dll_sodium_malloc)(const size_t) = NULL; +static void (*dll_sodium_memzero)(void * const, const size_t) = NULL; +static int (*dll_sodium_mlock)(void * const, const size_t) = NULL; +static int (*dll_sodium_munlock)(void * const, const size_t) = NULL; +static int (*dll_crypto_secretstream_xchacha20poly1305_init_push) + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char [], + const unsigned char []) = NULL; +static int (*dll_crypto_secretstream_xchacha20poly1305_push) + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char *c, unsigned long long *clen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, unsigned char tag) + = NULL; +static int (*dll_crypto_secretstream_xchacha20poly1305_init_pull) + (crypto_secretstream_xchacha20poly1305_state *state, + const unsigned char [], + const unsigned char []) = NULL; +static int (*dll_crypto_secretstream_xchacha20poly1305_pull) + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char *m, unsigned long long *mlen_p, unsigned char *tag_p, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen) = NULL; +static int (*dll_crypto_pwhash)(unsigned char * const out, + unsigned long long outlen, + const char * const passwd, unsigned long long passwdlen, + const unsigned char * const salt, + unsigned long long opslimit, size_t memlimit, int alg) + = NULL; +static void (*dll_randombytes_buf)(void * const buf, const size_t size); +static uint32_t (*dll_randombytes_random)(void); + +static struct { + const char *name; + SODIUM_PROC *ptr; +} sodium_funcname_table[] = { + {"sodium_init", (SODIUM_PROC*)&dll_sodium_init}, + {"sodium_free", (SODIUM_PROC*)&dll_sodium_free}, + {"sodium_malloc", (SODIUM_PROC*)&dll_sodium_malloc}, + {"sodium_memzero", (SODIUM_PROC*)&dll_sodium_memzero}, + {"sodium_mlock", (SODIUM_PROC*)&dll_sodium_mlock}, + {"sodium_munlock", (SODIUM_PROC*)&dll_sodium_munlock}, + {"crypto_secretstream_xchacha20poly1305_init_push", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_init_push}, + {"crypto_secretstream_xchacha20poly1305_push", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_push}, + {"crypto_secretstream_xchacha20poly1305_init_pull", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_init_pull}, + {"crypto_secretstream_xchacha20poly1305_pull", (SODIUM_PROC*)&dll_crypto_secretstream_xchacha20poly1305_pull}, + {"crypto_pwhash", (SODIUM_PROC*)&dll_crypto_pwhash}, + {"randombytes_buf", (SODIUM_PROC*)&dll_randombytes_buf}, + {"randombytes_random", (SODIUM_PROC*)&dll_randombytes_random}, + {NULL, NULL} +}; + + static int +sodium_runtime_link_init(int verbose) +{ + static HINSTANCE hsodium = NULL; + const char *libname = DYNAMIC_SODIUM_DLL; + int i; + + if (hsodium != NULL) + return OK; + + hsodium = load_dll(libname); + if (hsodium == NULL) + { + if (verbose) + semsg(_(e_could_not_load_library_str_str), libname, load_dll_error()); + return FAIL; + } + + for (i = 0; sodium_funcname_table[i].ptr; ++i) + { + if ((*sodium_funcname_table[i].ptr = symbol_from_dll(hsodium, + sodium_funcname_table[i].name)) == NULL) + { + close_dll(hsodium); + hsodium = NULL; + if (verbose) + semsg(_(e_could_not_load_library_function_str), sodium_funcname_table[i].name); + return FAIL; + } + } + return OK; +} + + static int +load_sodium(void) +{ + if (sodium_runtime_link_init(TRUE) == FAIL) + return -1; + return dll_sodium_init(); +} +# endif + +# if defined(DYNAMIC_SODIUM) || defined(PROTO) + int +sodium_enabled(int verbose) +{ + return sodium_runtime_link_init(verbose) == OK; +} +# endif +#endif + +#define CRYPT_MAGIC_LEN 12 // cannot change +static char crypt_magic_head[] = "VimCrypt~"; + +/* + * Return int value for crypt method name. + * 0 for "zip", the old method. Also for any non-valid value. + * 1 for "blowfish". + * 2 for "blowfish2". + */ + int +crypt_method_nr_from_name(char_u *name) +{ + int i; + + for (i = 0; i < CRYPT_M_COUNT; ++i) + if (STRCMP(name, cryptmethods[i].name) == 0) + return i; + return 0; +} + +/* + * Get the crypt method used for a file from "ptr[len]", the magic text at the + * start of the file. + * Returns -1 when no encryption used. + */ + int +crypt_method_nr_from_magic(char *ptr, int len) +{ + int i; + + if (len < CRYPT_MAGIC_LEN) + return -1; + + for (i = 0; i < CRYPT_M_COUNT; i++) + if (memcmp(ptr, cryptmethods[i].magic, CRYPT_MAGIC_LEN) == 0) + return i; + + i = (int)STRLEN(crypt_magic_head); + if (len >= i && memcmp(ptr, crypt_magic_head, i) == 0) + emsg(_(e_file_is_encrypted_with_unknown_method)); + + return -1; +} + +#ifdef CRYPT_NOT_INPLACE +/* + * Return TRUE if the crypt method for "method_nr" can be done in-place. + */ + int +crypt_works_inplace(cryptstate_T *state) +{ + return cryptmethods[state->method_nr].works_inplace; +} +#endif + +/* + * Get the crypt method for buffer "buf" as a number. + */ + int +crypt_get_method_nr(buf_T *buf) +{ + return crypt_method_nr_from_name(*buf->b_p_cm == NUL ? p_cm : buf->b_p_cm); +} + +/* + * Returns True for Sodium Encryption. + */ + int +crypt_method_is_sodium(int method) +{ + return method == CRYPT_M_SOD || method == CRYPT_M_SOD2; +} + +/* + * Return TRUE when the buffer uses an encryption method that encrypts the + * whole undo file, not only the text. + */ + int +crypt_whole_undofile(int method_nr) +{ + return cryptmethods[method_nr].whole_undofile; +} + +/* + * Get crypt method specific length of the file header in bytes. + */ + int +crypt_get_header_len(int method_nr) +{ + return CRYPT_MAGIC_LEN + + cryptmethods[method_nr].salt_len + + cryptmethods[method_nr].seed_len + + cryptmethods[method_nr].add_len; +} + + +#if defined(FEAT_SODIUM) || defined(PROTO) +/* + * Get maximum crypt method specific length of the file header in bytes. + */ + int +crypt_get_max_header_len(void) +{ + int i; + int max = 0; + int temp = 0; + + for (i = 0; i < CRYPT_M_COUNT; ++i) + { + temp = crypt_get_header_len(i); + if (temp > max) + max = temp; + } + return max; +} +#endif + +/* + * Set the crypt method for buffer "buf" to "method_nr" using the int value as + * returned by crypt_method_nr_from_name(). + */ + void +crypt_set_cm_option(buf_T *buf, int method_nr) +{ + free_string_option(buf->b_p_cm); + buf->b_p_cm = vim_strsave((char_u *)cryptmethods[method_nr].name); +} + +/* + * If the crypt method for the current buffer has a self-test, run it and + * return OK/FAIL. + */ + int +crypt_self_test(void) +{ + int method_nr = crypt_get_method_nr(curbuf); + + if (cryptmethods[method_nr].self_test_fn == NULL) + return OK; + return cryptmethods[method_nr].self_test_fn(); +} + +/* + * Allocate a crypt state and initialize it. + * Return NULL for failure. + */ + cryptstate_T * +crypt_create( + int method_nr, + char_u *key, + crypt_arg_T *crypt_arg) +{ + cryptstate_T *state = ALLOC_ONE(cryptstate_T); + + if (state == NULL) + return state; + + state->method_nr = method_nr; + if (cryptmethods[method_nr].init_fn(state, key, crypt_arg) == FAIL) + { + vim_free(state); + return NULL; + } + return state; +} + +/* + * Allocate a crypt state from a file header and initialize it. + * Assumes that header contains at least the number of bytes that + * crypt_get_header_len() returns for "method_nr". + */ + cryptstate_T * +crypt_create_from_header( + int method_nr, + char_u *key, + char_u *header) +{ + crypt_arg_T arg; + + CLEAR_FIELD(arg); + arg.cat_init_from_file = TRUE; + + arg.cat_salt_len = cryptmethods[method_nr].salt_len; + arg.cat_seed_len = cryptmethods[method_nr].seed_len; + arg.cat_add_len = cryptmethods[method_nr].add_len; + if (arg.cat_salt_len > 0) + arg.cat_salt = header + CRYPT_MAGIC_LEN; + if (arg.cat_seed_len > 0) + arg.cat_seed = header + CRYPT_MAGIC_LEN + arg.cat_salt_len; + if (arg.cat_add_len > 0) + arg.cat_add = header + CRYPT_MAGIC_LEN + + arg.cat_salt_len + arg.cat_seed_len; + + return crypt_create(method_nr, key, &arg); +} + +/* + * Read the crypt method specific header data from "fp". + * Return an allocated cryptstate_T or NULL on error. + */ + cryptstate_T * +crypt_create_from_file(FILE *fp, char_u *key) +{ + int method_nr; + int header_len; + char magic_buffer[CRYPT_MAGIC_LEN]; + char_u *buffer; + cryptstate_T *state; + + if (fread(magic_buffer, CRYPT_MAGIC_LEN, 1, fp) != 1) + return NULL; + method_nr = crypt_method_nr_from_magic(magic_buffer, CRYPT_MAGIC_LEN); + if (method_nr < 0) + return NULL; + + header_len = crypt_get_header_len(method_nr); + if ((buffer = alloc(header_len)) == NULL) + return NULL; + mch_memmove(buffer, magic_buffer, CRYPT_MAGIC_LEN); + if (header_len > CRYPT_MAGIC_LEN + && fread(buffer + CRYPT_MAGIC_LEN, + header_len - CRYPT_MAGIC_LEN, 1, fp) != 1) + { + vim_free(buffer); + return NULL; + } + + state = crypt_create_from_header(method_nr, key, buffer); + vim_free(buffer); + return state; +} + +/* + * Allocate a cryptstate_T for writing and initialize it with "key". + * Allocates and fills in the header and stores it in "header", setting + * "header_len". The header may include salt and seed, depending on + * cryptmethod. Caller must free header. + * Returns the state or NULL on failure. + */ + cryptstate_T * +crypt_create_for_writing( + int method_nr, + char_u *key, + char_u **header, + int *header_len) +{ + int len = crypt_get_header_len(method_nr); + crypt_arg_T arg; + cryptstate_T *state; + + CLEAR_FIELD(arg); + arg.cat_salt_len = cryptmethods[method_nr].salt_len; + arg.cat_seed_len = cryptmethods[method_nr].seed_len; + arg.cat_add_len = cryptmethods[method_nr].add_len; + arg.cat_init_from_file = FALSE; + + *header_len = len; + *header = alloc(len); + if (*header == NULL) + return NULL; + + mch_memmove(*header, cryptmethods[method_nr].magic, CRYPT_MAGIC_LEN); + if (arg.cat_salt_len > 0 || arg.cat_seed_len > 0 || arg.cat_add_len > 0) + { + if (arg.cat_salt_len > 0) + arg.cat_salt = *header + CRYPT_MAGIC_LEN; + if (arg.cat_seed_len > 0) + arg.cat_seed = *header + CRYPT_MAGIC_LEN + arg.cat_salt_len; + if (arg.cat_add_len > 0) + arg.cat_add = *header + CRYPT_MAGIC_LEN + + arg.cat_salt_len + arg.cat_seed_len; + + // TODO: Should this be crypt method specific? (Probably not worth + // it). sha2_seed is pretty bad for large amounts of entropy, so make + // that into something which is suitable for anything. +#ifdef FEAT_SODIUM + if (sodium_init() >= 0) + { + if (arg.cat_salt_len > 0) + randombytes_buf(arg.cat_salt, arg.cat_salt_len); + if (arg.cat_seed_len > 0) + randombytes_buf(arg.cat_seed, arg.cat_seed_len); + } + else +#endif + sha2_seed(arg.cat_salt, arg.cat_salt_len, arg.cat_seed, arg.cat_seed_len); + } + state = crypt_create(method_nr, key, &arg); + if (state == NULL) + VIM_CLEAR(*header); + return state; +} + +/* + * Free the crypt state. + */ + void +crypt_free_state(cryptstate_T *state) +{ +#ifdef FEAT_SODIUM + if (crypt_method_is_sodium(state->method_nr)) + { + sodium_munlock(((sodium_state_T *)state->method_state)->key, + crypto_box_SEEDBYTES); + sodium_memzero(state->method_state, sizeof(sodium_state_T)); + sodium_free(state->method_state); + } + else +#endif + vim_free(state->method_state); + vim_free(state); +} + +#ifdef CRYPT_NOT_INPLACE +/* + * Encode "from[len]" and store the result in a newly allocated buffer, which + * is stored in "newptr". + * Return number of bytes in "newptr", 0 for need more or -1 on error. + */ + long +crypt_encode_alloc( + cryptstate_T *state, + char_u *from, + size_t len, + char_u **newptr, + int last) +{ + cryptmethod_T *method = &cryptmethods[state->method_nr]; + + if (method->encode_buffer_fn != NULL) + // Has buffer function, pass through. + return method->encode_buffer_fn(state, from, len, newptr, last); + if (len == 0) + // Not buffering, just return EOF. + return (long)len; + + *newptr = alloc(len + 50); + if (*newptr == NULL) + return -1; + method->encode_fn(state, from, len, *newptr, last); + return (long)len; +} + +/* + * Decrypt "ptr[len]" and store the result in a newly allocated buffer, which + * is stored in "newptr". + * Return number of bytes in "newptr", 0 for need more or -1 on error. + */ + long +crypt_decode_alloc( + cryptstate_T *state, + char_u *ptr, + long len, + char_u **newptr, + int last) +{ + cryptmethod_T *method = &cryptmethods[state->method_nr]; + + if (method->decode_buffer_fn != NULL) + // Has buffer function, pass through. + return method->decode_buffer_fn(state, ptr, len, newptr, last); + + if (len == 0) + // Not buffering, just return EOF. + return len; + + *newptr = alloc(len); + if (*newptr == NULL) + return -1; + method->decode_fn(state, ptr, len, *newptr, last); + return len; +} +#endif + +/* + * Encrypting "from[len]" into "to[len]". + */ + void +crypt_encode( + cryptstate_T *state, + char_u *from, + size_t len, + char_u *to, + int last) +{ + cryptmethods[state->method_nr].encode_fn(state, from, len, to, last); +} + +#if 0 // unused +/* + * decrypting "from[len]" into "to[len]". + */ + void +crypt_decode( + cryptstate_T *state, + char_u *from, + size_t len, + char_u *to, + int last) +{ + cryptmethods[state->method_nr].decode_fn(state, from, len, to, last); +} +#endif + +/* + * Simple inplace encryption, modifies "buf[len]" in place. + */ + void +crypt_encode_inplace( + cryptstate_T *state, + char_u *buf, + size_t len, + int last) +{ + cryptmethods[state->method_nr].encode_inplace_fn(state, buf, len, + buf, last); +} + +/* + * Simple inplace decryption, modifies "buf[len]" in place. + */ + void +crypt_decode_inplace( + cryptstate_T *state, + char_u *buf, + size_t len, + int last) +{ + cryptmethods[state->method_nr].decode_inplace_fn(state, buf, len, + buf, last); +} + +/* + * Free an allocated crypt key. Clear the text to make sure it doesn't stay + * in memory anywhere. + */ + void +crypt_free_key(char_u *key) +{ + char_u *p; + + if (key != NULL) + { + for (p = key; *p != NUL; ++p) + *p = 0; + vim_free(key); + } +} + +/* + * Check the crypt method and give a warning if it's outdated. + */ + void +crypt_check_method(int method) +{ + if (method < CRYPT_M_BF2 || method == CRYPT_M_SOD) + { + msg_scroll = TRUE; + msg(_("Warning: Using a weak encryption method; see :help 'cm'")); + } +} + +/* + * If the crypt method for "curbuf" does not support encrypting the swap file + * then disable the swap file. + */ + void +crypt_check_swapfile_curbuf(void) +{ +#ifdef FEAT_SODIUM + int method = crypt_get_method_nr(curbuf); + if (crypt_method_is_sodium(method)) + { + // encryption uses padding and MAC, that does not work very well with + // swap and undo files, so disable them + mf_close_file(curbuf, TRUE); // remove the swap file + set_option_value_give_err((char_u *)"swf", 0, NULL, OPT_LOCAL); + msg_scroll = TRUE; + msg(_("Note: Encryption of swapfile not supported, disabling swap file")); + } +#endif +} + + void +crypt_check_current_method(void) +{ + crypt_check_method(crypt_get_method_nr(curbuf)); +} + +/* + * Ask the user for a crypt key. + * When "store" is TRUE, the new key is stored in the 'key' option, and the + * 'key' option value is returned: Don't free it. + * When "store" is FALSE, the typed key is returned in allocated memory. + * Returns NULL on failure. + */ + char_u * +crypt_get_key( + int store, + int twice) // Ask for the key twice. +{ + char_u *p1, *p2 = NULL; + int round; + + for (round = 0; ; ++round) + { + cmdline_star = TRUE; + cmdline_row = msg_row; + p1 = getcmdline_prompt(NUL, round == 0 + ? (char_u *)_("Enter encryption key: ") + : (char_u *)_("Enter same key again: "), 0, EXPAND_NOTHING, + NULL); + cmdline_star = FALSE; + + if (p1 == NULL) + break; + + if (round == twice) + { + if (p2 != NULL && STRCMP(p1, p2) != 0) + { + msg(_("Keys don't match!")); + crypt_free_key(p1); + crypt_free_key(p2); + p2 = NULL; + round = -1; // do it again + continue; + } + + if (store) + { + set_option_value_give_err((char_u *)"key", 0L, p1, OPT_LOCAL); + crypt_free_key(p1); + p1 = curbuf->b_p_key; + crypt_check_swapfile_curbuf(); + } + break; + } + p2 = p1; + } + + // since the user typed this, no need to wait for return + if (!crypt_method_is_sodium(crypt_get_method_nr(curbuf))) + { + if (msg_didout) + msg_putchar('\n'); + need_wait_return = FALSE; + msg_didout = FALSE; + } + + crypt_free_key(p2); + return p1; +} + + +/* + * Append a message to IObuff for the encryption/decryption method being used. + */ + void +crypt_append_msg( + buf_T *buf) +{ + if (crypt_get_method_nr(buf) == 0) + STRCAT(IObuff, _("[crypted]")); + else + { + STRCAT(IObuff, "["); + STRCAT(IObuff, *buf->b_p_cm == NUL ? p_cm : buf->b_p_cm); + STRCAT(IObuff, "]"); + } +} + + static int +crypt_sodium_init_( + cryptstate_T *state UNUSED, + char_u *key UNUSED, + crypt_arg_T *arg UNUSED) +{ +# ifdef FEAT_SODIUM + // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES + unsigned char dkey[crypto_box_SEEDBYTES]; // 32 + sodium_state_T *sd_state; + int retval = 0; + unsigned long long opslimit; + unsigned long long memlimit; + int alg; + + if (sodium_init() < 0) + return FAIL; + + sd_state = (sodium_state_T *)sodium_malloc(sizeof(sodium_state_T)); + sodium_memzero(sd_state, sizeof(sodium_state_T)); + + if ((state->method_nr == CRYPT_M_SOD2 && !arg->cat_init_from_file) + || state->method_nr == CRYPT_M_SOD) + { + opslimit = crypto_pwhash_OPSLIMIT_INTERACTIVE; + memlimit = crypto_pwhash_MEMLIMIT_INTERACTIVE; + alg = crypto_pwhash_ALG_DEFAULT; + +#if 0 + // For testing + if (state->method_nr == CRYPT_M_SOD2) + { + opslimit = crypto_pwhash_OPSLIMIT_MODERATE; + memlimit = crypto_pwhash_MEMLIMIT_MODERATE; + } +#endif + + // derive a key from the password + if (crypto_pwhash(dkey, sizeof(dkey), (const char *)key, STRLEN(key), + arg->cat_salt, opslimit, (size_t)memlimit, alg) != 0) + { + // out of memory + sodium_free(sd_state); + return FAIL; + } + memcpy(sd_state->key, dkey, crypto_box_SEEDBYTES); + + retval += sodium_mlock(sd_state->key, crypto_box_SEEDBYTES); + retval += sodium_mlock(key, STRLEN(key)); + + if (retval < 0) + { + emsg(_(e_encryption_sodium_mlock_failed)); + sodium_free(sd_state); + return FAIL; + } + // "cat_add" should not be NULL, check anyway for safety + if (state->method_nr == CRYPT_M_SOD2 && arg->cat_add != NULL) + { + memcpy(arg->cat_add, &opslimit, sizeof(opslimit)); + arg->cat_add += sizeof(opslimit); + + memcpy(arg->cat_add, &memlimit, sizeof(memlimit)); + arg->cat_add += sizeof(memlimit); + + memcpy(arg->cat_add, &alg, sizeof(alg)); + arg->cat_add += sizeof(alg); + } + } + else + { + // Reading parameters from file + if (arg->cat_add_len + < (int)(sizeof(opslimit) + sizeof(memlimit) + sizeof(alg))) + { + sodium_free(sd_state); + return FAIL; + } + + // derive the key from the file header + memcpy(&opslimit, arg->cat_add, sizeof(opslimit)); + arg->cat_add += sizeof(opslimit); + + memcpy(&memlimit, arg->cat_add, sizeof(memlimit)); + arg->cat_add += sizeof(memlimit); + + memcpy(&alg, arg->cat_add, sizeof(alg)); + arg->cat_add += sizeof(alg); + +#ifdef FEAT_EVAL + crypt_sodium_report_hash_params(opslimit, + crypto_pwhash_OPSLIMIT_INTERACTIVE, + (size_t)memlimit, crypto_pwhash_MEMLIMIT_INTERACTIVE, + alg, crypto_pwhash_ALG_DEFAULT); +#endif + + if (crypto_pwhash(dkey, sizeof(dkey), (const char *)key, STRLEN(key), + arg->cat_salt, opslimit, (size_t)memlimit, alg) != 0) + { + // out of memory + sodium_free(sd_state); + return FAIL; + } + memcpy(sd_state->key, dkey, crypto_box_SEEDBYTES); + + retval += sodium_mlock(sd_state->key, crypto_box_SEEDBYTES); + retval += sodium_mlock(key, STRLEN(key)); + + if (retval < 0) + { + emsg(_(e_encryption_sodium_mlock_failed)); + sodium_free(sd_state); + return FAIL; + } + } + sd_state->count = 0; + state->method_state = sd_state; + + return OK; +# else + emsg(_(e_libsodium_not_built_in)); + return FAIL; +# endif +} + +/* + * Encrypt "from[len]" into "to[len]". + * "from" and "to" can be equal to encrypt in place. + * Call needs to ensure that there is enough space in to (for the header) + */ +#if 0 // Currently unused + void +crypt_sodium_encode( + cryptstate_T *state UNUSED, + char_u *from UNUSED, + size_t len UNUSED, + char_u *to UNUSED, + int last UNUSED) +{ +# ifdef FEAT_SODIUM + // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES + sodium_state_T *sod_st = state->method_state; + unsigned char tag = last + ? crypto_secretstream_xchacha20poly1305_TAG_FINAL : 0; + + if (sod_st->count == 0) + { + if (len <= crypto_secretstream_xchacha20poly1305_HEADERBYTES) + { + emsg(_(e_libsodium_cannot_encrypt_header)); + return; + } + crypto_secretstream_xchacha20poly1305_init_push(&sod_st->state, + to, sod_st->key); + to += crypto_secretstream_xchacha20poly1305_HEADERBYTES; + } + + if (sod_st->count && len <= crypto_secretstream_xchacha20poly1305_ABYTES) + { + emsg(_(e_libsodium_cannot_encrypt_buffer)); + return; + } + + crypto_secretstream_xchacha20poly1305_push(&sod_st->state, to, NULL, + from, len, NULL, 0, tag); + + sod_st->count++; +# endif +} +#endif + +/* + * Decrypt "from[len]" into "to[len]". + * "from" and "to" can be equal to encrypt in place. + */ +#if 0 // Currently unused + void +crypt_sodium_decode( + cryptstate_T *state UNUSED, + char_u *from UNUSED, + size_t len UNUSED, + char_u *to UNUSED, + int last UNUSED) +{ +# ifdef FEAT_SODIUM + // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES + sodium_state_T *sod_st = state->method_state; + unsigned char tag; + unsigned long long buf_len; + char_u *p1 = from; + char_u *p2 = to; + char_u *buf_out; + + if (sod_st->count == 0 + && len <= crypto_secretstream_xchacha20poly1305_HEADERBYTES) + { + emsg(_(e_libsodium_cannot_decrypt_header)); + return; + } + + buf_out = (char_u *)alloc(len); + + if (buf_out == NULL) + { + emsg(_(e_libsodium_cannot_allocate_buffer)); + return; + } + if (sod_st->count == 0) + { + if (crypto_secretstream_xchacha20poly1305_init_pull( + &sod_st->state, from, sod_st->key) != 0) + { + emsg(_(e_libsodium_decryption_failed_header_incomplete)); + goto fail; + } + + from += crypto_secretstream_xchacha20poly1305_HEADERBYTES; + len -= crypto_secretstream_xchacha20poly1305_HEADERBYTES; + + if (p1 == p2) + to += crypto_secretstream_xchacha20poly1305_HEADERBYTES; + } + + if (sod_st->count && len <= crypto_secretstream_xchacha20poly1305_ABYTES) + { + emsg(_(e_libsodium_cannot_decrypt_buffer)); + goto fail; + } + if (crypto_secretstream_xchacha20poly1305_pull(&sod_st->state, + buf_out, &buf_len, &tag, from, len, NULL, 0) != 0) + { + emsg(_(e_libsodium_decryption_failed)); + goto fail; + } + sod_st->count++; + + if (tag == crypto_secretstream_xchacha20poly1305_TAG_FINAL && !last) + { + emsg(_(e_libsodium_decryption_failed_premature)); + goto fail; + } + if (p1 == p2) + mch_memmove(p2, buf_out, buf_len); + +fail: + vim_free(buf_out); +# endif +} +#endif + +/* + * Encrypt "from[len]" into "to[len]". + * "from" and "to" can be equal to encrypt in place. + */ + static long +crypt_sodium_buffer_encode( + cryptstate_T *state UNUSED, + char_u *from UNUSED, + size_t len UNUSED, + char_u **buf_out UNUSED, + int last UNUSED) +{ +# ifdef FEAT_SODIUM + // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES + unsigned long long out_len; + char_u *ptr; + unsigned char tag = last + ? crypto_secretstream_xchacha20poly1305_TAG_FINAL : 0; + int length; + sodium_state_T *sod_st = state->method_state; + int first = (sod_st->count == 0); + + length = (int)len + crypto_secretstream_xchacha20poly1305_ABYTES + + (first ? crypto_secretstream_xchacha20poly1305_HEADERBYTES : 0); + *buf_out = alloc_clear(length); + if (*buf_out == NULL) + { + emsg(_(e_libsodium_cannot_allocate_buffer)); + return -1; + } + ptr = *buf_out; + + if (first) + { + crypto_secretstream_xchacha20poly1305_init_push(&sod_st->state, + ptr, sod_st->key); + ptr += crypto_secretstream_xchacha20poly1305_HEADERBYTES; + } + + crypto_secretstream_xchacha20poly1305_push(&sod_st->state, ptr, + &out_len, from, len, NULL, 0, tag); + + sod_st->count++; + return out_len + (first + ? crypto_secretstream_xchacha20poly1305_HEADERBYTES : 0); +# else + return -1; +# endif +} + +/* + * Decrypt "from[len]" into "to[len]". + * "from" and "to" can be equal to encrypt in place. + */ + static long +crypt_sodium_buffer_decode( + cryptstate_T *state UNUSED, + char_u *from UNUSED, + size_t len UNUSED, + char_u **buf_out UNUSED, + int last UNUSED) +{ +# ifdef FEAT_SODIUM + // crypto_box_SEEDBYTES == crypto_secretstream_xchacha20poly1305_KEYBYTES + sodium_state_T *sod_st = state->method_state; + unsigned char tag; + unsigned long long out_len; + + if (sod_st->count == 0 + && state->method_nr == CRYPT_M_SOD + && len > WRITEBUFSIZE + + crypto_secretstream_xchacha20poly1305_HEADERBYTES + + crypto_secretstream_xchacha20poly1305_ABYTES) + len -= cryptmethods[CRYPT_M_SOD2].add_len; + + *buf_out = alloc_clear(len); + if (*buf_out == NULL) + { + emsg(_(e_libsodium_cannot_allocate_buffer)); + return -1; + } + + if (sod_st->count == 0) + { + if (crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state, + from, sod_st->key) != 0) + { + emsg(_(e_libsodium_decryption_failed_header_incomplete)); + return -1; + } + from += crypto_secretstream_xchacha20poly1305_HEADERBYTES; + len -= crypto_secretstream_xchacha20poly1305_HEADERBYTES; + sod_st->count++; + } + if (crypto_secretstream_xchacha20poly1305_pull(&sod_st->state, + *buf_out, &out_len, &tag, from, len, NULL, 0) != 0) + { + emsg(_(e_libsodium_decryption_failed)); + return -1; + } + + if (tag == crypto_secretstream_xchacha20poly1305_TAG_FINAL && !last) + emsg(_(e_libsodium_decryption_failed_premature)); + return (long) out_len; +# else + return -1; +# endif +} + +# if defined(FEAT_SODIUM) || defined(PROTO) + int +crypt_sodium_munlock(void *const addr, const size_t len) +{ + return sodium_munlock(addr, len); +} + + void +crypt_sodium_randombytes_buf(void *const buf, const size_t size) +{ + randombytes_buf(buf, size); +} + + int +crypt_sodium_init(void) +{ + return sodium_init(); +} + + uint32_t +crypt_sodium_randombytes_random(void) +{ + return randombytes_random(); +} + +#if defined(FEAT_EVAL) || defined(PROTO) + static void +crypt_sodium_report_hash_params( + unsigned long long opslimit, + unsigned long long ops_def, + size_t memlimit, + size_t mem_def, + int alg, + int alg_def) +{ + if (p_verbose > 0) + { + verbose_enter(); + if (opslimit != ops_def) + smsg(_("xchacha20v2: using custom opslimit \"%llu\" for Key derivation."), opslimit); + else + smsg(_("xchacha20v2: using default opslimit \"%llu\" for Key derivation."), opslimit); + if (memlimit != mem_def) + smsg(_("xchacha20v2: using custom memlimit \"%lu\" for Key derivation."), (unsigned long)memlimit); + else + smsg(_("xchacha20v2: using default memlimit \"%lu\" for Key derivation."), (unsigned long)memlimit); + if (alg != alg_def) + smsg(_("xchacha20v2: using custom algorithm \"%d\" for Key derivation."), alg); + else + smsg(_("xchacha20v2: using default algorithm \"%d\" for Key derivation."), alg); + verbose_leave(); + } +} +#endif +# endif + +#endif // FEAT_CRYPT